Understanding Modern Authentication for Native Clients

Sep 25, 2024

View transcript

Modern Authentication for Native Clients

Introduction

  • Presenter: Stuart Kwan, Program Manager in Azure Active Directory team
  • Topic: Overview of modern authentication for native clients (e.g., Outlook on phone/PC)

Authentication Process Overview

  • Definition of native client: Applications like Outlook that run on devices.
  • Goal: Obtain a security token to authenticate a user and allow access to Exchange services.

Message Sequence Diagram

  • Introduction to message sequence diagrams:
    • A tool for mapping interactions in a protocol sequence.
    • Easier to understand than previous bubble diagrams.

Key Players in the Authentication Process

  1. Outlook (Client)
  2. Exchange (Service)
  3. Azure Active Directory (Azure AD) (Identity Provider for Exchange Online)
  4. Active Directory and ADFS (for federated scenarios)
  5. WebView (used for user interaction)

Steps in the Authentication Process

  1. Token Cache Check:

    • Outlook checks its cache for tokens.
    • If no tokens are available, an authentication sequence is initiated.

  2. Using WebView:

    • Outlook opens a System WebView, which runs out of process from Outlook but appears as part of it.
    • Ensures better security for credential entry (key presses are not visible to the application).

  3. Navigating to Azure AD:

    • Outlook navigates to Azure AD's authorization endpoint, initiating an OAuth 2.0 authorization code request.
    • No previous session or cookies are available, prompting Azure AD to display a sign-in page.

  4. User Sign-in:

    • User (e.g., Alice) enters her credentials ([email protected]).
    • Azure AD performs Home Realm discovery to check if the domain is federated.
    • Sends authentication request to ADFS for user verification.

  5. ADFS Authentication:

    • Alice sees ADFS sign-in page where she enters her password.
    • ADFS verifies identity and sends a token (T1) back to Azure AD.
    • Azure AD validates the token, checks for adaptive authentication, conditional access, and other security measures.

  6. Authorization Code Issuance:

    • If Alice passes all checks, Azure AD sends an authorization code to Outlook's redirect URI.
    • The redirect URI is registered with Azure AD for Outlook.
    • Authorization code is included in the query string.

  7. Completion of Interactive Sign-in:

    • WebView closes after returning the authorization code to Outlook.
    • Interactive sign-in process ends.

Next Steps

  • Part two will cover the non-interactive section of the protocol where Outlook retrieves the access token needed to communicate with Exchange.

Full transcript